Enabling CipherSpecs
Enable a CipherSpec by using the SSLCIPH parameter in either the DEFINE CHANNEL or ALTER CHANNEL MQSC command.
Some of the CipherSpecs that you can use with IBM MQ are FIPS compliant. Some of the FIPS compliant CipherSpecs are also Suite B compliant although others, such as TLS_RSA_WITH_AES_256_CBC_SHA, are not.
All Suite B compliant CipherSpecs are also FIPS compliant. All Suite B compliant CipherSpecs fall
into two groups: 128 bit (for example, ECDHE_ECDSA_AES_128_GCM_SHA256
) and 192 bit
(for example, ECDHE_ECDSA_AES_256_GCM_SHA384
),
The following diagram illustrates the relationship between these subsets:
From IBM MQ 9.2.0, the product supports the TLS 1.3 security protocol on all platforms.
- IBM MQ for Multiplatforms, as described in Providing a custom list of ordered and enabled CipherSpecs on IBM MQ for Multiplatforms.
- IBM MQ for z/OS®, as described in Providing a custom list of ordered and enabled CipherSpecs on IBM MQ for z/OS.
Deprecated CipherSpecs that you can re-enable to use with IBM MQ if necessary are listed in Deprecated CipherSpecs. For information about enabling the deprecated CipherSpecs, see Enabling deprecated CipherSpecs on IBM MQ for Multiplatforms or Enabling deprecated CipherSpecs on z/OS.
CipherSpecs that you can use with IBM MQ TLS support
CipherSpecs that you can use with the IBM MQ queue manager automatically are listed in the following table. When you request a personal certificate, you specify a key size for the public and private key pair. The key size that is used during the TLS handshake is the size stored in the certificate unless it is determined by the CipherSpec, as noted in the table.
Platform support 1 | CipherSpec name | Hex code | Protocol used | MAC algorithm | Encryption algorithm (encryption bits) | FIPS 2 | Suite B |
---|---|---|---|---|---|---|---|
Alias CipherSpecs | |||||||
All |
ANY_TLS13_OR_HIGHER
3
4 |
N/A | Negotiated | Negotiated | Negotiated | Negotiated | Negotiated |
All |
ANY_TLS13
4
5
|
N/A | TLS 1.3 | Negotiated | Negotiated | Negotiated | Negotiated |
All |
ANY_TLS12_OR_HIGHER
4
6
|
N/A | Negotiated | Negotiated | Negotiated | Negotiated | Negotiated |
All |
ANY_TLS12
7 |
N/A | TLS 1.2 | Negotiated | Negotiated | Negotiated | Negotiated |
All |
ANY
8
|
N/A | Negotiated | Negotiated | Negotiated | Negotiated | Negotiated |
CipherSpecs for TLS 1.3 | |||||||
All |
TLS_AES_128_GCM_SHA256
|
1301 | TLS 1.3 | GCM | AES-128 with GCM (128) | Yes | No |
All |
TLS_AES_256_GCM_SHA384
|
1302 | TLS 1.3 | GCM | AES-256 with GCM (256) | Yes | No |
All |
TLS_CHACHA20_POLY1305_SHA256
|
1303 | TLS 1.3 | POLY1305 | CHACHA20 (256) | No | No |
TLS_AES_128_CCM_SHA256 |
1304 | TLS 1.3 | CBC-MAC | AES-128 with CTR (128) | Yes | No | |
TLS_AES_128_CCM_8_SHA256
10
|
1305 | TLS 1.3 | CBC-MAC | AES-128 with CTR (128) | Yes | No | |
CipherSpecs for TLS 1.2 | |||||||
All | TLS_RSA_WITH_AES_128_CBC_SHA256 9
|
003C | TLS 1.2 | SHA-256 | AES (128) | Yes | No |
All | TLS_RSA_WITH_AES_256_CBC_SHA256
9
11
|
003D | TLS 1.2 | SHA-256 | AES (256) | Yes | No |
All | TLS_RSA_WITH_AES_128_GCM_SHA256
9
12
|
009C | TLS 1.2 | SHA-256 and AEAD GCM | AES (128) | Yes | No |
All | TLS_RSA_WITH_AES_256_GCM_SHA384 9
11
12
|
009D | TLS 1.2 | SHA-384 and AEAD GCM | AES (256) | Yes | No |
All | ECDHE_ECDSA_AES_128_CBC_SHA256
9
|
C023 | TLS 1.2 | SHA-256 | AES (128) | Yes | No |
All | ECDHE_ECDSA_AES_256_CBC_SHA384
9
11 |
C024 | TLS 1.2 | SHA-384 | AES (256) | Yes | No |
All | ECDHE_RSA_AES_128_CBC_SHA256
9
|
C027 | TLS 1.2 | SHA-256 | AES (128) | Yes | No |
All | ECDHE_RSA_AES_256_CBC_SHA384
9
11 |
C028 | TLS 1.2 | SHA-384 | AES (256) | Yes | No |
ECDHE_ECDSA_AES_128_GCM_SHA256
11
12
|
C02B | TLS 1.2 | SHA-256 and AEAD GCM | AES (SHA384) | Yes | 128 bit | |
ECDHE_ECDSA_AES_256_GCM_SHA384
11
12
|
C02C | TLS 1.2 | SHA-384 and AEAD GCM | AES (SHA384) | Yes | 192 bit | |
All | ECDHE_RSA_AES_128_GCM_SHA256
12
|
C02F | TLS 1.2 | SHA-256 and AEAD GCM | AES (128) | Yes | No |
All | ECDHE_RSA_AES_256_GCM_SHA384
11
12
|
C030 | TLS 1.2 | AEAD AES-128 GCM | AES (SHA384) | Yes | No |
Notes:
|
Using TLS 1.3 in IBM MQ
From IBM MQ 9.2.0, the product supports TLS 1.3 on all platforms. Before IBM MQ 9.2.0, TLS 1.3 support was available on AIX, Linux, and Windows for Continuous Delivery from IBM MQ 9.1.4.
- For IBM MQ for Multiplatforms queue managers,
edit the qm.ini file and add the
AllowTLSV13=TRUE property under the SSL stanza (link to
SSL: AllowTLSV13=TRUE
- For IBM MQ for z/OS queue managers, edit
the QMINI data set specified in the
queue manager startup JCL and add the AllowTLSV13=TRUE
property under the TransportSecurity stanza
TransportSecurity: AllowTLSV13=TRUE
- Uses the SSL 3.0 protocol.
- Uses RC4 or RC2 as the Encryption algorithm.
- Has a encryption key size (bit) equal to or less than 112.
- Edit the queue manager's qm.ini file and change the setting of the
AllowTLSV13 property to:
SSL: AllowTLSV13=FALSE
- Edit the QMINI data set of the queue manager and change the setting of the
AllowTLSV13 property to:
TransportSecurity: AllowTLSV13=FALSE
IBM MQ MQI client and TLS 1.3
- If any weak CipherSpecs are enabled, AllowTLSV13 is set to FALSE and no TLS 1.3 CipherSpecs can be used.
- Otherwise, AllowTLSV13 is set to TRUE and the new TLS 1.3 CipherSpecs and alias CipherSpecs can be used.
Default CipherSpec values enabled in IBM MQ
In default configuration for a new IBM MQ queue manager, IBM MQ provides support for the TLS 1.2 and TLS 1.3 protocols and various cryptographic algorithms using CipherSpecs. For compatibility purposes, IBM MQ can also be configured to use SSL 3.0 and TLS 1.0 protocols and a number of cryptographic algorithms that are known to be weak or susceptible to security vulnerabilities. The list of CipherSpecs that are enabled in default configuration might change by applying maintenance.
- Only permit FIPS 140-2 compliant CipherSpecs using SSLFIPS.
- Only permit NSA Suite B compliant CipherSpecs using SUITEB.
- Permit a custom list of CipherSpecs using AllowedCipherSpecs.
- Permit a custom list of CipherSpecs using the AMQ_ALLOWED_CIPHERS environment variable.
- Permit the use of deprecated CipherSpecs using AllowWeakCipher or the AMQ_SSL_WEAK_CIPHER_ENABLE environment variable.
- Permit the use of deprecated CipherSpecs using DD statements in the CHINIT JCL.